Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Security Pros Look at Encryption Backdoors (helpnetsecurity.com)

Posted by msmash on from the what-they-think dept.

An anonymous reader shares a report: The majority of IT security professionals believe encryption backdoors are ineffective and potentially dangerous, with 91 percent saying cybercriminals could take advantage of government-mandated encryption backdoors. 72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists, according to a Venafi survey of 296 IT security pros, conducted at Black Hat USA 2017. Only 19 percent believe the technology industry is doing enough to protect the public from the dangers of encryption backdoors. 81 percent feel governments should not be able to force technology companies to give them access to encrypted user data. 86 percent believe consumers don't understand issues around encryption backdoors.

1 of 52 comments (clear)

  1. Security through obscurity doesn't work. by Tomahawk · · Score: 4, Informative

    Using obscurity in encryption just doesn't work. It has to be assumed that everything about the encryption method is known. Which is typically why everything about encryption methods is known - the algorithms and source code are always available to anyone.

    What is secret is the key that is used.

    Introducing a backdoor would mean that the method of how this backdoor is implemented would be known to everyone - it has to be, or at least assumed to be. So the only way to implement a backdoor "securely" is by using a key. This means hardcoding a public key into all public/private key encryption schemes and using both it and the users' public keys to encrypt the data, which is typically just encrypting the key for the symmetric encryption method (AES, for example) being used.

    I don't believe there would be a way to incorporate an extra key in a symmetric encryption system. Certainly not without seriously harming how the encryption works. And how would you hide the key? If the key is hard coded, everyone knows what it is, and can thus decrypt with it.

    Then you run into the problem of what happens once these hard coded keys are known to everyone, 'cos you know it's only a matter of time before they are either leaked or found. A global key to unencrypt all internet traffic - ever hacker and cracker, no matter if they are white, grey, black, or any other colour hat, would be searching for that key. And it wouldn't take all that long to find, given enough computing power (read: botnet).

    If a government does force this to happen, you know that they will be the first target for all of these people who find the global key(s).